vault-plugin-secrets-wireguard
vault-plugin-secrets-wireguard copied to clipboard
Published
20 hours ago •
candiddev
candiddev
Wireguard secrets engine for Vault
Vault Plugin: Wireguard Secrets Engine
Automatically generate Wireguard keys and configurations for your servers to create a Wireguard mesh network.
Install
- Add
plugin_directory = "<folder-where-you-will-put-the plugin>"to your vault config - Download the plugin from releases page to the folder above and decompress it. Keep the name with the version in it.
- Register the plugin in vault:
$ vault plugin register -command=${PLUGIN_PATH} -sha256=$(sha256sum ${PLUGIN_PATH} | cut -d\ -f 1)) vault-plugin-secrets-wireguard
- Enable the plugin in vault:
$ vault secrets enable -description='wireguard keys' -path=wireguard vault-plugin-secrets-wireguard
Upgrade
- Download a newer version of the plugin from releases page to the folder above and decompress it. Keep the name with the version in it.
- Register the new version:
$ vault plugin register -command=${PLUGIN_PATH} -sha256=$(sha256sum ${PLUGIN_PATH} | cut -d\ -f 1)) vault-plugin-secrets-wireguard
- Reload the plugin:
$ vault plugin reload -plugin=vault-plugin-secrets-wireguard
Usage
After installing the secrets engine, you can configure groups and associate peers with the group.
Groups
- Add a group with the name 'mygroup' using the network '10.0.0.0/24':
$ vault write wireguard/groups/mygroup network=10.0.0.0/24
- Change the group to use the network '10.1.0.0/24'
$ vault write wireguard/groups/mygroup network=10.1.0.0/24
- Delete the group
$ vault delete wireguard/groups/mygroup
Peers
- Add a peer with a hostname of peer1 and a static port of 51820 (the public and private key will be generated automatically):
$ vault write wireguard/groups/mygroup/peer1 port=51820
- Change the peer's wireguard keys (public_key will be generated from the private_key)
$ vault write wireguard/groups/mygroup/peer1 private_key=$(wg genkey)
- Delete the peer
$ vault delete wireguard/groups/mygroup/peer1
- Generate a configuration suitable for wg-quick
$ vault read -field=config wireguard/groups/mygroup/peer1/wg-quick > /etc/wireguard/mygroup.conf
Vault Agent
When combined with Vault Agent templating, this secrets engine will automatically add/remove clients in your Wireguard group. See the example agent.conf for more information.
Build
Run make build
candiddev